In Depth: China’s Regulatory Wave Hits the Credit Reporting Industry

With the release of a new set of rules on the management of credit reporting businesses, the regulatory framework for China’s credit reporting industry has entered a new era.

The Administrative Guideline for Credit Reporting Business (link in Chinese), released on Sept. 30 and to be effective from Jan. 1 next year, states that only licensed institutions can conduct credit reporting business. The guidance also lays out detailed principles governing each and every stage of the credit reporting process in terms of data management.

China’s credit reporting industry has mushroomed in recent years, driven by the boom in online lending platforms. It is estimated that more than 1,000 companies nationwide are engaged in the business of credit reporting. But many of them are yet to be properly supervised, leading to rampant data abuse, especially in the collection, analysis and application of “alternative data,” which cover a wide range of non-traditional credit information such as social network activity, mobile texts and e-commerce.

The new rules, together with the Personal Information Protection Law that went into effect Nov. 1, are part of government efforts to strengthen the regulatory framework for the credit reporting system in the country.

Under the new rules, companies should follow the principles of “minimum and necessary” and “inform and seek consent” in collecting credit information. Financial institutions are barred from collaborating with unlicensed entities to obtain credit information, which is seen as another way to push unlicensed players in the market to comply with the rules as soon as possible. A transition period of 18 months is granted for that.

“All data forbidden to be collected by law cannot and should not be collected, no matter how useful they are,” stressed Tian Di, a deputy director of the Credit Information System Bureau at the People’s Bank of China (PBOC), adding that “no data can be collected without the consent of the data subjects.”

A research report from law firm Han Kun Law Offices showed that the Personal Information Protection Law has set a very high standard of “inform + separate consent,” indicating that consent requests should be separated from other terms and conditions, and that data subjects should give separate consent for separate requests. If enforced rigorously, a substantial number of financial big-data providers will struggle to comply. In December, Pengyuan Credit Service Co. Ltd., a well-established credit ratings business, was confiscated and fined nearly 20 million yuan ($3.1 million) by the PBOC for conducting personal credit checks without a license, a signal that tighter regulations were to follow soon.

Multi-layered system

The PBOC noted in a Sept. 30 Q&A that the regulators would encourage and guide state-owned and private capital, as well as other social forces to actively participate in the construction of a multi-layered credit reporting system.

The multi-layered system incorporates five facets, according to Tian. The first refers to service regions, including both nationwide credit reporting services, like Pudao Credit Co. Ltd. and Baihang Credit Co. Ltd., and regional services such as credit reporting chains in the Yangtze River Delta or the Pearl River Delta.

The second facet refers to diverse types of entities participating in the market, including not only credit reporting institutions controlled by state-owned enterprises, but also those counting private enterprises as controlling shareholders. Particularly, Tian said, foreign capital is among the “other social forces” that are encouraged to take part. At the moment there are three foreign-controlled credit reporting companies operating in China: Shanghai Huaxia Dun & Bradstreet Business Information Consulting Co. Ltd., a joint venture; Experian Business Information & Consulting (Beijing) Co. Ltd. from the U.K.; and CRIF (Shanghai) Business Information Service Co. Ltd. from Italy.

 Read more  
British Credit Rating Giant Experian Makes U-Turn on China Strategy

The third facet includes a variety of products, ranging from basic credit reports to value-added services such as credit scoring. The fourth facet refers to multiple groups of people, regardless of whether or not they have credit records. And lastly, the fifth facet means diverse types of data, which could include both basic borrowing information and alternative data. Making provisions for data sharing among licensed credit reporting institutions is a high priority for regulators. Tian revealed that the PBOC is pushing for regional integration of credit reporting services with the help of blockchain technology. He also emphasized that nationwide credit reporting companies, namely Pudao Credit and Baihang Credit, are not competitors of the Credit Reference Center under the PBOC, given that the PBOC is considered as part of China’s national financial infrastructure.

Tian made it clear that regulators will not set a timetable for credit reporting institutions to break even, as he understood that it usually takes quite a long time for new players to turn profitable. The regulators’ job is to monitor the situation carefully, making sure the credit reporting market grows in a compliant and healthy way.

Another point of focus is the so-called “unregulated expansion of capital” that has led to a series of problems such as monopolies on data, unlicensed operation and lack of protection of data subjects. “These are common problems with online platforms that have been required to rectify,” says Tian.

 Read more  
Exclusive: China’s Fintech Giants Get Until End 2022 to Overhaul Credit Reporting Business

Innovative regulatory initiatives

The new rules represent a new way of regulation, which aim to bring the credit reporting business of unlicensed institutions — the likes of online platforms and big-data companies — under the umbrella of supervision by allowing them to collaborate with licensed ones. Dubbed “indirect regulation,” it is viewed as the first of its sort in this sector.

Tian considers it a goodwill gesture from the regulators because this effectively presents a way out for the online platforms, which have, over the years, collected huge amount of credit data from ordinary people, including alternative data. “They have played a positive role in making use of their alternative data with big data technology, so it would not be right to simply say no to all of them just because they are not compliant,” explained Tian.

The PBOC’s plan is to legalize the internal use of the data by online platforms. Meanwhile, there are two possible ways to make cross-company data transfer lawful. One is for online platforms, which hold the data, to become shareholders of licensed institutions. For example, JD.com Inc. and Xiaomi Corp. may transfer their data to Pudao Credit because they are the company’s shareholders. The other way is for online platforms to work with licensed institutions that will in turn process the data held by the platforms.

This rule applies to fintech subsidiaries of banks, too. Such subsidiaries are allowed to provide their data to their parent bank, but only for internal use. Transferring the data to anyone unlicensed outside the bank is a breach of the rule.

“Overall this is a very wise way to regulate,” a senior executive of a big-data company told Caixin. “Even the tech giants who want to appear less financial cannot escape supervision because credit information will have to be subject to the new rules as long as it’s used to serve financial activities.”

Loan facilitation, a lucrative business for many online platforms, thus falls under the regulatory oversight. In recent years, major fintech companies have collected an enormous amount of personal data and provided these data to financial institutions in order to help customers obtain loans. Such practices have traditionally been out of the regulatory scope. Not anymore.

Concerns have been raised as to how to maintain the independence of licensed credit reporting institutions, when one of their major shareholders happens to control a subsidiary engaged in the business of lending. Could conflict of interests be avoided? Licensed institutions will be strictly supervised, Tian reassured the industry, and credit reporting institutions must be fair when providing products and services to external users.

Link with the Personal Information Protection Law

The current legal framework overseeing the credit reporting business has three levels, as Tian spelled out. The first level involves three superordinate laws issued by the country’s top legislature: the Data Security Law, the Personal Information Protection Law, and the Cybersecurity Law. The second level is the Regulation on Credit Reporting Industry, released by the State Council, the nation’s cabinet. The third level is the rules released by government ministries, such as the set issued by the PBOC this time.

Tian believes that preventing the risk of loan default and protecting the lawful rights of individual data subjects are the two sides of the same coin, and the key to striking a balance between the two is to collect data in accordance with the law and within limits. While different companies may have different ways of interpreting the principle of “minimum and necessary,” the general principle is that the data that are “prohibited by law, related to national security, invasive to personal privacy or business confidentiality and not agreed by the data subject” should not be collected.

But how about sensitive biological identification data that have caused increasing concerns among consumers in the past few years? Tian reassured that the Regulation on Credit Reporting Industry (link in Chinese), which came into effect in 2013, has already made it clear that biological identification data should not be collected. Article 14 of the regulation declared that credit reporting institutions “are prohibited from collecting information about the religious beliefs, genes, fingerprints, blood type, disease or medical history of individuals.” For those tech giants who have already amassed a vast amount of personal data, their source of data, authorization process and usage of data will be checked and verified once they start to collaborate with licensed credit reporting institutions, according to Tian.

One grey area here could be the International Mobile Equipment Identity (IMEI), which is considered as a type of sensitive personal data that is very valuable to lenders. In China, more than 1 billion such IMEIs are held and controlled by three to five big-data companies, and some of them now provide their clients with products like mobile text analysis.

All in all, it’s still early days for the industry to work out how to apply the regulations and laws to daily operations in a better way. Legal precedents are still scant, and the sector needs further improvement through practice, Tian acknowledged.

Peng Qinqin contributed to this report.

Contact editor Lin Jinbing (jinbinglin@caixin.com)